Continuous assessment of your clusters to provide visibility into misconfigurations and guidelines to help you mitigate identified threats. Learn more about environment hardening through security recommendations.
Threat protection for clusters and Linux nodes. Alerts for suspicious activities are provided by Azure Defender for Kubernetes. This Azure Defender plan defends your Kubernetes clusters whether they’re hosted in Azure Kubernetes Service (AKS), on-premises, or on other cloud providers. clusters.
Learn more about run-time protection for Kubernetes nodes and clusters.
Container hosts (VM’s running Docker)
Continuous assessment of your Docker environments to provide visibility into misconfigurations and guidelines to help you mitigate threats identified by the optional Azure Defender for servers.
Learn more about environment hardening through security recommendations.
Azure Container Registry (ACR) registries
Vulnerability assessment and management tools for the images in your Azure Resource Manager-based ACR registries with the optional Azure Defender for container registries.
Learn more about scanning your container images for vulnerabilities.
What are containers?
So first to understand that what is a container. Containers are Serverless environments that run code in a isolated from other components.
With Docker you have the host and Docker installed on top of it. The host can be anything
All the the containers run their own thing and not knowing about the guy next door.
Two picture tells it all, the difference between Docker and traditional virtualization.
And if you want to deploy an image to Docker instance and make it fault-tolerant, you would need to deploy it to every single of the Docker containers. This is where Kubernetes comes to play.
Kubernetes (also known as k8s or “kube”) is an open source container orchestration platform that automates many of the manual processes involved in deploying, managing, and scaling containerized applications.
- Service discovery and load balancing Kubernetes can expose a container using the DNS name or using their own IP address. If traffic to a container is high, Kubernetes is able to load balance and distribute the network traffic so that the deployment is stable.
- Storage orchestration Kubernetes allows you to automatically mount a storage system of your choice, such as local storages, public cloud providers, and more.
- Automated rollouts and rollbacks You can describe the desired state for your deployed containers using Kubernetes, and it can change the actual state to the desired state at a controlled rate. For example, you can automate Kubernetes to create new containers for your deployment, remove existing containers and adopt all their resources to the new container.
- Automatic bin packing You provide Kubernetes with a cluster of nodes that it can use to run containerized tasks. You tell Kubernetes how much CPU and memory (RAM) each container needs. Kubernetes can fit containers onto your nodes to make the best use of your resources.
- Self-healing Kubernetes restarts containers that fail, replaces containers, kills containers that don’t respond to your user-defined health check, and doesn’t advertise them to clients until they are ready to serve.
- Secret and configuration management Kubernetes lets you store and manage sensitive information, such as passwords, OAuth tokens, and SSH keys. You can deploy and update secrets and application configuration without rebuilding your container images, and without exposing secrets in your stack configuration
So with Kubernetes you can automate the orchestration of the Docker images. All docker images are inside pool that are their own unit.
Azure Kubernetes Service
Back in 2017 Microsoft release AKS (Azure Kubernetes Service)
Azure Container Registry is a private registry service for building, storing, and managing container images and related artifacts. In this quickstart, you create an Azure container registry instance with the Azure portal. Then, use Docker commands to push a container image into the registry, and finally pull and run the image from your registry
So with AKS developer can keep images for container in the registry and put them to pipelines that do the compliance check and then push to image to the clusters that have example docker in them.
And for this reason there is Defender for container registries, to protect the images from any harm.
Defender for container registries
Here is nice picture that will tell what will happen when you enable the protection and thus the monitoring.
And there is also an Defender for Kubernetes instead of only registries, really depends on your configuration and needs.
And with this one you can go even further with Azure ARC and on-premises deployments of Kubernetes.
Defender for Kubernetes is currently in Public Preview so it’s free and you shouldn’t be using it in production, but it’s a nice feature when it comes out.
And this is why I love Microsoft products, they provide the compliance, and governance and security for the whole set of various solutions and you can even use your Azure AD credentials in most of them.
What’s new and coming
- For AKS https://azure.microsoft.com/en-us/updates/?query=aks
- For Security Center https://azure.microsoft.com/en-us/updates/?query=security%20center
- And for containers https://azure.microsoft.com/en-us/updates/?query=container
And there is at least seven new features releases concerning Kubernetes in the Book Of News.
And link to whole book, nice reading.
More to come as Microsoft Ignite is on it’s way November 2–4! Stay tuned and safe!